Hackers use Ethereum Smart Contracts to hide malware payloads within seemingly benign NPM packages. This is a tactic that transforms the blockchain into a resilient command channel and complicates takedowns.
ReverSingLabs detailed two npm packages, colortoolsv2 and Mimelib2it read Ethereum contract to get the URL of the second stage downloader, not the hardcoded infrastructure of the package itself.
The package surfaced in July and was removed after disclosure. ReverSingLabs tracked promotions to a network of GitHub repositories posed as trading bots. Solana-trading-bot-v2with fake stars, bulging commit history, and sock puppet maintainers. This is the social class that directs developers towards malicious dependency chains.
The downloads were low, but the method was important. According to hacker news, colortoolsv2 I saw 7 downloads Mimelib2 One still fits opportunistic developer targeting. Snyk and OSV list both packages as malicious and provide quick checks to teams auditing historic builds.
History repeats itself
The on-chain command channel echoes a wider campaign that researchers tracked in late 2024 with a type skirt of hundreds of npm. In that wave, the package queried the Ethereum contract, got the base URL, then ran an installation or pre-install script that downloaded the named OS-specific payload. node-win.exe, node-linuxor node-macos.
CheckMarx Documented Core Contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b Coupled with wallet parameters 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84using observed infrastructure 45.125.67.172:1337 and 193.233.201.21:3001especially.
Phylum’s Deobfuscation shows ethers.js I’ll call getString(address) With the same contract, log C2 rotations over time. This is the action of turning contract status into a malware search moving pointer. Socket independently mapped Typosquat floods, exposed matching IOCs containing the same contracts and wallets, and verified cross-source consistency.
Old vulnerabilities continue to thrive
ReverSingLabs frames the 2025 package as a continuation of technique rather than scale, with the twist of smart contracts hosting URLs at the next stage rather than payload.
GitHub’s delivery work, including fake stargazers and chore commits, aims to pass casual due diligence and take advantage of automated dependency updates within fake repository clones.
Crypto Investor Blueprint: 5-day course on bag holdings, insider frontrunning, and lost alpha
This design is similar to previous uses of indirect third-party platforms, such as Github Gist and Cloud Storage, but adds immutable storage, public readability, and neutral venues that defenders cannot easily take offline.
For each ReversingLabs, the concrete IOCs in these reports include Ethereum contracts 0x1f117a1b07c108eae05a5bccbe86922d66227e2b Linked to the July package and the 2024 contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6bwallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84host pattern 45.125.67.172 and 193.233.201.21 Port 1337 or 3001, and the platform payload name above.
Included in the second stage hash of 2025 021d0eef8f457eb2a9f9fb2260dd2e391f009a21and for 2024 Wave, CheckMarx lists Windows, Linux, and MacOS SHA-256 values. ReverSingLabs has released SHA-1 for each malicious NPM version. This helps teams scan artifact stores for past exposures.
Protect from attacks
For protection, immediate control is to prevent lifecycle scripts from being executed during installation and CI. NPM Documents --ignore-scripts Flag npm ci and npm installand the team can set it globally .npmrcselectively allow the required builds in another step.
The node.js security best practices page advises the same approach, along with pinning versions via a more stringent review of lock files and maintainers and metadata.
Block outbound traffic to the above IOC and warn it in the build log that initializes ethers.js For a query getString(address) It provides practical detection that matches chain-based C2 designs.
The package is gone, the patterns remain, and the on-chain interdirection sits alongside the type skirt and fake repository as a repeatable way to reach the developer machine.